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Introduction to Fundamental Of Networking 


Network: 


When two or more than two electronic devices are 
communicating through wired or wireless media for the 
purpose of communicating data electronically, that is called 
network. 


Networking: 


Internet: 


Networking is a concept of communicating digital devices with 
each other through wired or wireless media for purpose of 
communicating data electronically. 


When different networks are interconnected with each other 
globally or interconnected to public network through ISP for 
the purpose of sharing and receiving information from web 
servers that is called Internet. 


Type of Network: 


There are mainly three type of network as follows- 


LAN (Local Area Network): LAN is a network that 


interconnects computers through hub or switch within a 
limited area under control of single organisation. 


Wi-Fi and Ethernet is the most common LAN technology. 
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WAN (Wide Area Network): WAN is a large area network 


in which network devices are interconnected through Routers 
and ISP’s to globally under control of several organization. 


WAN 


WAN 


Remote User 


MAN (Metropolitan Area Network): When more than 


one Local Area Network of same organisation are 
interconnected through Router but not to public network is 
called Metropolitan Network. 


Network Devices: 
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Personal Computer/Laptop- A computer isan electronic 
device that manipulates information, or data. It has the 
ability to store, retrieve, and process data. 

Server- A server isa centralized computer hardware or 
software that provides functionality to the other programs 
or devices, called "client". 


Database servers, File servers, Mail servers, Print servers, 
Web servers, Game servers, and Application servers are the 
example of server. 


Switch (Layer 2 device works on MAC)- A switch isa 
Layer-2 hardware device in a computer network that 
connects other devices like PCs, printers, Aps, Servers 
together. 

It is an intelligent network device and uses MAC 
addresses to send data packets to selected destination ports. 

It uses packet switching to send, receive or forward data 
packets from the source to the destination device. 


It is supports unicast (one-to-one), multicast (one-to- 
many) and broadcast (one-to-all) communications. 


Multilayer Switch- A multilayer or Layer 3 switch is 
basically a switch thatcan perform routing functions in 
addition to switching. 
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Router - Routers are networking devices operating at layer- 
3 of the OSI model which provide internetwork 
communication with the different networks. 

Responsible for receiving, analysing, and forwarding data 
packets from one network to another in the form of IP 
packets. 

It also provides best path selection. 


Firewall ( Layer3 & 4 works on IP address and Ports)- A 
firewall is a network security device either hardware or 
software based, which monitors all incoming and outgoing 
traffic and based on a defined set of security rules, it accepts, 
rejects or drops that specific traffic. 


Accept: Allow the traffic 

Reject : Block the traffic but reply with an “unreachable error” 
Drop: Block the traffic with no reply 

We placed hardware firewall between our network and 
untrusted network (Internet). 


There are three type of firewall- 

e Packet Filtering Firewall - Packet filtering firewall 
filters the traffic based on source and destination IP 
address, protocols and ports. Only it can allow or deny 
the packets based on unique packet headers. It does not 
check data/payload portion so there may be chances of 
malicious data. 

e Application/Proxy Firewall- Application layer firewall 
can filter the traffic up to application layer(Layer 7) of 
the OSI model means it checks the data/payload of the 
received packet. Due to this, it is much slower than 
packet filtering firewall. 

In other words, Application layer firewalls are 
hosts that run proxy servers. A proxy firewall prevents 
the direct connection between either side of the firewall, 
each packet has to pass through the proxy. 

e Hybrid Firewall- Hybrid firewalls are the firewalls that 
have the feature of both the firewalls, are known as 
NGFW. It provides the security from Advanced malware 


attacks and Application layer attack. NGFW consists of 
Deep Packet Inspection, Application Inspection, SSL/SSH 
inspection and many functionalities to protect the 
network from these modern threats. 


7- IPS/IDS- An Intrusion Prevention System (IPS) is a network 
security/threat prevention technology that examines 
network traffic flow to detect and prevent vulnerability 
exploits. Comes in hardware and software both form. 

An Intrusion Detection System (IDS) is a network 
security /threat detection technology that 
monitors network traffic for suspicious activity and alerts 
when such activity is discovered. 

It works on Layer 3, Layer 4 as well as Layer 7 
level. 

It is recommended to implement behind the 
firewall or WAF. 


8- e-Mail Security Appliance- Email Security Appliance is an 
email security gateway product which is designed to detect 
and block a wide variety of email-borne threats, such as 
malware, spam and phishing attempts. 


Cisco Iron Port is an example of e-Mail security appliance. 
Characteristics of Network: 
Speed: How fast data is being transmitted over the network. 


Cost: How much general cost of components, installation and 
maintenance is cost effective. 


Security: How much secure the network. 
Availability: Maximum uptime of network for user’s use. 
Scalability: Network design for future changing. 


Reliability: How much network device are reliable and how 
long device will work. 


OSI Layer Model: 


Open System Interconnection Model is a conceptual framework 
developed by “international Organisation of Standardization” 
which describes how systems communicate over a network. It 
allows various type of network devices to intercommunicate so 
that different vendor’s network can interoperate. 


It has Seven Layers- 


Layer 7 Application 


Layer 6 Presentation 
Layer 5 

Layer 4 Transport 
Layer 3 Network 
Layer 2 Data Link 


Layer 1 Physical 


1-Physical Layer: This layer is responsible for actual 
physical connection between the devices and just sends & 
receives the data in the form of bits (0 or 1). 


2-Data Link Layer: The data link layer is responsible for the 
node to node delivery of the message. This layer makes sure 
data is formatted in the correct way, takes care of error 
detection not correction and makes sure data is delivered 
reliably. 


It receives the data in packets, combines the packet into bytes 
and after that bytes to frames. This concept is called Framing 
or Encapsulation. 


Frame Contains source and destination mac address. 


3-Network Layer: Network layer is responsible for the 
transmission of data from one host to the other host located in 
different networks using best path/route and logical 
addressing (also called Packeting) by placing sender’s & 
receiver's IP address in header. 


IPv4 , IP v6. 


4-Transport Layer: Transport layer provides services to 
application layer and takes services from network layer. This 
layer is responsible for reliable transfer of data by ensuring at 
destination is error free and in order/sequence through 
acknowledgement. 


It takes the data from upper layer and forward to next layer 
after segmenting it and also implements Flow & Error Control 
(Error correction before transmit) to ensure proper data 
transmission. 


It can be Connection Oriented (TCP) and Connection Less 
(UDP) communication. 


5-Session Layer: The session layer takes care of 
establishing, managing and termination of sessions between 
two hosts. If the session is broken then this layer attempt to 
recover the session. Also keeps different application data 
separate from other application’s data while travelling. 


6-Presentation Layer: It presents data to Application 
Layer in readable format with data transmission and code 
formatting. It also compress/decompress and 
encryption/decryption of data. 


7-Application Layer: This layer provides the interface 
between user application and the device. Web browser and 
email client are the example of user application. 


ftp, http, pop3, telnet etc. 


What is TCP Protocol: 


TCP stands for Transmission Control Protocol which is a 
connection oriented and reliable communication protocol 
which works on layer 4 of OSI model (transport layer). It 
ensures message reaches its destination successfully and in 
sequence through acknowledgement. 


File Downloading, File Sharing, Printing etc. 


Transmission Control Protocol (TCP) Header 


20-60 bytes 
source port number destination port number 
2 bytes | 2 bytes 
sequence number 
4 bytes 
acknowledgement number 
| TEES 4 bytes 
data offset | reserved control flags window size 
4 bits 3 bits 9 bits 2 bytes 
checksum urgent pointer 

2 bytes 2 bytes 


TCP Three Way Handshaking : 
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What is UDP Protocol: 


UDP stands for User Datagram Protocol which is a connection 
less communication protocol. It provides unreliable & 
unacknowledged delivery of message to destination. 


VoIP, Video Streaming 


Bit 0 Bit15 Bit 16 Bit 31 


UDP Segment 
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Network Ports: 


A port is a virtual point where network connections start and 
end. Network ports are provided by the TCP or UDP protocols 
at transport layer. Ports are software-based and managed by a 
computer's operating system. Each port is associated with a 
specific process or service. Port numbers are used to determine 
which protocol incoming traffic should be directed to. 


Ports use is regulated by the Internet Corporation for 
Assigning Names and Numbers (ICANN). 


Classification of port numbers 


The port numbers are divided into three categories: 


o Well-known ports 
o Registered ports 


o Dynamic ports 


Port Number Range Part Group 


49152 to 65535 Private and/or Dynamic Ports 


Some Common Ports are- 


ftp : 20, 21, 
ssh: 22 
telnet: 23 
smtp : 25 


dns: 53 

http: 80 

https or ssl : 443 
rdp : 3389 

ntp : 123 

imap4 :143 
pop3: 110 


IP Address V4: 


IP is a unique identifier to each device connected to 
network that uses the IP protocol for communication. 


It is a 32 bit logical address ( 4 octet of 8 bit) which contains 
network and host part. 


IPv4 address in dotted-decimal notation 


172 . 16 . 254 . 1 
+ + + + 


10101100 .00010000.11111110.00000001 


a L——— l 
8 bits 


32 bits (4 bytes) 


octet 
, An. 
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IP Address v4 Class Range: 


IP address classes (pre 1993 mindset) 


16M hosts 
Class A 1.0.0.1 to 126.255.255.254 {Sut ROSS 
Class B 128.1.0.1 to 64K hosts 
191.255.255.254 16K networks 
192.0.1.1 to 254 hosts 
Class C 223.255.254.254 2M networks 
Class D 224.0.0.0 to Multicast 


239.255.255.255 


240.0.0.0 to 
254.255.255.254 


Class E R&D == wasted 


# 127.0.0.1 is a loopback IP. 


Domain Name System: 


The Domain Name System is a hierarchical and decentralized 


naming system for computers, services, or other resources 


connected to the Internet or a private network. 


DNS translates human readable domain names to machine 


readable IP addresses. 


DNS Records- 


A Record(Address Mapping Record)- Known as a DNS 
host record, The record that holds the IP address of a 
domain. 

AAAA Record (IP Version 6 Address record)- The record 
that contains the IPv6 address for a domain. 

CNAME Record (Canonical Name record)- A canonical 
name (CNAME) is a record that forwards one domain or 
subdomain to another domain, does NOT provide an IP 
address. 

MX Record (Mail exchanger record)- Directs mail to an 
email server. 

NS Record (Name Server records) - A name server (NS) 
record provides a list of the authoritative DNS servers (also 
called name servers) responsible for the domain that you're 
querying. 

PTR Record (Reverse-lookup Pointer records)- Allows a 
DNS resolver to provide an IP address and receive a 
hostname (reverse DNS lookup). 


CERT Record (Certificate record)- Stores encryption 
certificates—PKIX, SPKI, PGP, and so on. 

SOA record - Stores admin information about a domain. 
SRV Record (Service Location)- Specifies a port for 
specific services. 

TXT Record (Text Record)- Allows admin to store text 
notes in the record. These records are often used for email 
security. 


SPF- An Sender Policy Framework record is a DNS 
TXT record containing a list of the IP addresses that are 
allowed to send email on behalf of your domain. 


DKIM- Domain Keys Identified Mail (DKIM) is an 
authentication standard used to prevent email spoofing. 


DMARC- Stands for Domain-based Message 
Authentication, Reporting, and Conformance is TXT 
record used by receiving mail servers to determine what 
to do with a failed message. 


Tell the recipient server to either: Quarantine the 
message or Reject the message or Allow the message to 
continue delivery. 


Sends reports to an email address or addresses 
with data about all the messages seen from the domain. 


Introduction to Information System Security 


Information Security: 


Information security is a concept to protect of both physical 
and digital information and information systems from 
unauthorized access, use, disclosure, disruption, modification, 
or destruction in order to provide confidentiality, integrity, and 
availability. 


Cyber Security: 


Cyber security is a concept to protect digital information and 
information systems ie: networks, devices, programs, and 
data from, Cyber Attack, damage, or unauthorized access, use, 
disclosure, disruption, modification, or destruction in order to 
provide confidentiality, integrity, and availability. 


Cyber Security is considered as subset of Information 
security. 


CIA Triad: 


Confidentiality, Integrity and Availability, also known as the 
CIA triad. 


Confidentiality- A concept which insures and protect the data 
from unauthorized access. The data is available only to the 
intended and authorized person. 


Integrity- This concept insures the accuracy and consistency of 
data. Means make sure that data is reliable and not changed by 
unauthorized person. 


Availability- It make sure that the data, network 
resources/services are available every time when authorized 
user require it. 


What is Asset:- 


Any valuable thing of an organization which can be in the form 
of software or hardware. 


What is Threat:- 


A threat is a potential danger or risk to an asset of an 
organization. It is of two types- 


Latent Threat- A threat which is not publically known is 
called Latent Threat. 


Realized Threat-Realized threat are the threat which are 
publically known but still hack able even after patch issued due 
to patch not applied, is called realized threat. 


What is Malware: 


Malware is a threat in form of a malicious software or code 
which is intentionally designed to cause damage of computer, 
server or computer network. 


What is SPAM eMail: 


Spam email is unsolicited and unwanted junk email sent out in 
bulk to a recipient list sent for commercial purposes. 


What is eMail Spoofing: 


Email spoofing is a form of cyber-attack in which a hacker 
sends an email that has been manipulated to seem as it 
originated from a trusted source. 


What is Attack: A cyber-attack is an exploitation of computer 
systems and networks. It uses malicious code to alter computer 


code, logic or data and lead to cybercrimes, such as information 
and identity theft. 


Cyber-attacks can be classified into two categories- 


Web based attack and System based attack. 


Web based attack- These are the attacks which occur on a 
website or web applications. Some of the important web-based 
attacks are as follows- 


e Injection attacks- It is the attack, in which some data will 
be injected into a web application to manipulate the 
application and fetch the required information. 

Example- SQL Injection, Code Injection, Log Injection, XML 
Injection etc. 


e DNS Spoofing- DNS spoofing, also referred to as DNS cache 
poisoning, is a form of computer security hacking in which 
corrupt Domain Name System data is introduced into the 
DNS resolver's cache, causing the name server to return an 
incorrect result record, Exa.- an IP address. 


e Session Hijacking- It is a security attack on a user session 
over a protected network. Web applications create cookies 
to store the state and user sessions. By stealing the cookies, 
an attacker can have access to all of the user data. 


e Phishing- Phishing is a type of social engineering attack 
which attempts to steal sensitive information like user login 
credentials and credit card number. 

Attacker uses forged email contains malicious 
intended link or attachment tricking the email recipient into 
believing that the message is something important from 
their bank, or a note from someone in their company or 
replica websites of a genuine website as a weapon. 


e Brute Force- It is a type of attack which uses a trial and 
error method. This attack generates a large number of 
guesses and validates them to obtain actual data like user 
password and personal identification number. 


e DOS/DDOS- Dos/DDOS attack is a type of attack making a 
server, website or resource unavailable to the user It 
accomplishes this by flooding the target with traffic or 
sending it information that triggers a crash. 


DOS - Denial of Service - Attack that uses single source to 
flood a targeted resource. 


DDOS-Distributed Denial of Service- Attack that uses 
multiple source to flood a targeted resource. 


How to mitigate the DOS/DDOS attack? DDoS mitigation 


refers to the process of successfully protecting a targeted 
server or network from a distributed denial-of-service 
(DDoS) attack. 


By utilizing specially designed network equipment, we can 
mitigate the DOS/DDOS attack. Like Arbor, a product of 
Netscout and DefensePro, a product of Redware. 


e Dictionary attacks- This type of attack stored the list of a 
commonly used password and validated them to get original 
password. 


e URL Interpretation- It is a type of attack where we can 
change the certain parts of a URL, and one can make a web 
server to deliver web pages for which he is not authorized 
to browse. 


e File Inclusion attacks- It is a type of attack that allows an 
attacker to access unauthorized or essential files which is 
available on the web server or to execute malicious files on 
the web server by making use of the include functionality. 


e Man in the middle attacks- It is a type of attack that allows 
an attacker to intercepts the connection between client and 
server and acts as a bridge between them. Due to this, an 
attacker will be able to read, insert and modify the data in 
the intercepted connection. 


System based attack- These are the attacks which are 
intended to compromise a computer or a computer network. 
Some of the important system-based attacks are as follows- 


e Virus- A computer virus is a type of malware or program 
written to alter the way of a computer operates and is 
designed to spread from one computer to another by 
inserting or attaching itself to a legitimate program or 
document that supports macros in order to execute its code. 


In order for a virus to infect your computer, you have to 
run the infected program. 


e Worm- Another type of malware which is similar to virus 
but worms can be spread from computer to computer 
without any human interfere. 


e Trojan horse- A type of malware which presents itself as a 
genuine software and misleads to user but can cause of 


serious harms to the systems or computer network by 
deleting files and destroying the information. 


Trojan horse also creates backdoor o computer that gives 
access of a system to the malicious intended user. 


Like virus or worms, it does not self-replicate. 


Spyware- A malicious software that aims to gather 
information of a system installed on that device without the 
end user’s knowledge and permission. 


Adware- A malicious software that automatically displays 
or downloads advertising material such as banners or pop- 
ups when user is online. 


Ransom ware- Ransom ware is also a type of malware 
which is also known as shareware. This kind of malware can 
lock down your computer system and threaten to erase 
everything unless a ransom is paid to the hacker. 


APT: APT stands for advanced persistent threat is a 
network attack in which an unauthorized entity gains access 
to a network and stays undetected for a long time. 

The intention of an APT attack is to steal the data 
rather than to cause damage to the network or organisation. 


Botnet: Botnet is a network of infected computers that are 
made to work together under the control of an attacker. 


Types of Cyber Attackers: 


An attacker is the individual or organization who performs the 
malicious activities to destroy, expose, alter, disable, steal or 
gain unauthorized access to or make unauthorized use of an 
asset by identifying security weakness and using those 
vulnerabilities. 


There are four types of attackers which are as follows- 


Cyber Criminals- Cybercriminals are individual or group of 
people who use technology to commit cybercrime with the 
intention of stealing sensitive company information or 
personal data and generating profits. 


Hacking: 


Hacker: 


e Hactivists- Hacktivists are individuals or groups of hackers 
who carry out malicious activity to promote a political 
agenda, religious belief, or social ideology. 


e State Sponsored- State-sponsored attackers have 
particular objectives aligned with either the political, 
commercial or military interests of their country of origin. 


e Insider Threats-_ The insider threat is a threat to an 
organization's security or data that comes from within. 
These type of threats are usually occurred from employees 
or former employees. 


Hacking is an attempt or activity to compromise and gain 
unauthorized access to digital devices, networks and data or 
information by identifying their security weaknesses and using 
those vulnerabilities. 


Hacker is a computer expert who uses his/her technical skill to 
compromise digital device, network, data or application of an 
individual or an organization. 

Hackers are of different types and are named based on their 
intent of the hacking system. 


Type of Hacker: Basically there are three type of hacker as follows- 


White Hat or Ethical Hackers - White Hat Hackers do not 
intend to harm the system or organization but they do so, 
officially, to penetrate and locate the vulnerabilities, providing 
solutions to fix them and ensure safety. 


Black Hat - Contrary/Opposite to an ethical hacker, black hat 
hackers or non-ethical hackers perform hacking to fulfil their 
selfish intentions to collect monetary benefits. 


Gray Hat - Grey hat hackers are the combination of white and 
black hat hackers. They hack without any malicious intention 


for fun. They perform the hacking without any approval from 
the targeted organization. 


Script Kiddie- Do hacking activity for learning purpose. 
Cyber Terrorist- Do hacking for national enmities. 
Hacktivist- Do hacking activity for their Political moto. 


Ethical Hacking: 


Ethical hacking is a process of detecting vulnerabilities in an 
application, system, or organization’s infrastructure that an 
attacker can use to exploit an individual or organization to 
prevent Cyber Attacks and security breaches by lawfully 
hacking into the systems and looking for weak points. 


Type of Ethical Hacking: 


1- Social Engineering 

2- Web Application Hacking 
3- Web Server Hacking 

4- System Hacking 

5- Wireless Network Hacking 


Red Team V/S Blue Team in Hacking: 


Offensive Security - Defensive Security 

With Zero info. - With full info. of Infrastructure 
Ethical Hacking - Infrastructure Protection 
Exploiting Vulnerabilities -Damage Control 
Penetration Testing - Incident Response etc. 


Phase of Hacking: 
1- Information Gathering 


2- Scanning 

3- Gaining Access 
4-Maintaining Access 
5-Clearing Tracks 


Vulnerability: 


It is an exploitable weakness in software, system or in network 
etc by which cybercriminals gain unauthorized access to a 
computer system. After exploiting vulnerability, a cyber-attack 
can run malicious’ code, installmalwareand even 
steal sensitive data. 


Zero Days Vulnerability- A zero-day vulnerability is 
a vulnerability in a system or device that is either unknown or 


if it has been disclosed but not yet patched. Also known as zero 
day exploit. Until the vulnerability is 
mitigated, hackers canexploitit to affect programs, data, 
computers or a network. 


Zero Days Attack- An exploit directed at a zero-day 
vulnerability is called a zero-day exploit, or zero-day attack. 


Vulnerability Management: 


Vulnerability management is a cyclical practice of identifying, 
classifying, remediating and mitigating security vulnerabilities. 
The essential elements of vulnerability management include 
“Vulnerability Detection”, “Vulnerability Assessment” and 
“Remediation”. 


Methods of vulnerability detection include: 


e Vulnerability scanning- A vulnerability scanner is 
software designed to assess computers, networks or 
applications for known vulnerabilities. 


VA Scanner can identify and detect vulnerabilities rising 
from misconfiguration and flawed programming within a 
network and perform authenticated and unauthenticated 
scans: 


Authenticated scans: Allows the vulnerability scanner to 
directly access networked assets using provided system 
credentials. 


Unauthenticated scans: Result may be false positives and 
unreliable information about operating systems and 
installed software. This method is generally used by cyber 


attackers and security analysts to try and determine 
the security posture of externally facing assets and to find 
possible data leaks. 


e Penetration testing- Penetration testing, also known as 
pen testing or ethical hacking, is the practice of testing an 
information technology asset to find security vulnerabilities 
an attacker could exploit. Penetration testing can be 
automated with software or performed manually. 


«e Google hacking- Google hacking or “Google Dork” is the use 
of a search engine, such as Google or Microsoft's Bing, to 
locate security vulnerabilities. 


Once vulnerability is found, it goes through the vulnerability 
assessment process: 


e Identify vulnerabilities: Analysing network scans, pen test 
results, firewall logs, and vulnerability scan results to find 
anomalies that suggest a cyber-attack could take advantage 
of vulnerability. 


e Verify vulnerabilities: Decide whether the identified 
vulnerability could be exploited and classify the severity of 
the exploit to understand the level of risk 


e Mitigate vulnerabilities: Decide on countermeasures and 
how to measure their effectiveness in the event that a patch 
is not available. 


e Remediate vulnerabilities: Update affected software or 
hardware where possible. 


What is DLP:- 


Data loss prevention, or DLP, is a set of technologies, products, 
and techniques that are designed to stop sensitive information 
from leaving an organization. 


Data can end up in the wrong hands whether it’s sent through 
email or instant messaging, website forms, file transfers, or 
other means. 


O.S. Hardening: 


Operating system hardening involves patching and 
implementing advanced security measures to secure a Server's 
operating system (OS). 


What is Proxy: 


A proxy server provides a gateway between users and the 
internet and act as web filters or firewalls to protect computer 
from internet threats like malware. 


Web traffic requests are first sent to the proxy server, which 
handles the request along with the additional tasks of filtering 
content, scanning for malware, masking the origin of the 
request, encrypting messages, and more. 


Web Filtering Device- Cisco Umbrella, NGFW 
Web Security Appliance - Cisco Web Security Appliance (WSA) 
Email Security Appliance- Cisco Iron Port 
Bluecoat- Bluecoat Proxy 
What is Antivirus: 


Antivirus is a kind of software also called end point protection, 
used to prevent, scan, detect and delete viruses from a 
computer. Antivirus works based on the latest signature or 
behaviour of the malware. 


There are two type of scan which antivirus do- 1-Real time 
scan. 2- Scheduled Scan. 


Antivirus action if virus found- 
1-Clean/Delete - when 100% sure. 
2-Quarantine - when approximately 75% sure. 


3- Left Alone - When 50% sure and not able to clean. 


Cyber Kill Chain Methodology: 
The cyber kill chain is essentially a cyber-security model 
created by “Lockheed Martin” that traces the stages of a cyber- 


attack, identifies vulnerabilities, and helps security teams to 
stop the attacks at every stage of the chain. 


cyber kill chain methodology 


Create a deliverable Exploit a vulnerability Create a command and control 

malicious payload using by executing code on channel to communicate and 
an exploit and a backdoor the victim’s system pass data back and forth 

Weaponization 


— 


Exploitation Command and Control 


Reconnaissance Delivery Installation Actions on Objectives 
Gather data on the target Send weaponized bundle to the Install malware on Perform actions to achieve 
to probe for weak points victim using email, USB, etc. the target system intended objectives/goals 


e Reconnaissance- An observation stage in which attacker 
collects data about the target and the tactics for the attack. 
This includes harvesting email addresses and gathering 
other information. 


Detect: Web Analytics; Threat Intelligence; Network 
Intrusion Detection System 


Deny: Information Sharing Policy; Firewall Access Control 
Lists 


e Weaponization- Preparing or creating a deliverable 
malicious payload by attacker using an exploit and a 
backdoor. 


Detect: Threat Intelligence; Network Intrusion Detection 
System 
Deny: Network Intrusion Prevention System 


e Delivery- The attacker delivers the weaponized malware 
via a phishing email or some other medium. The most 
common delivery vectors for weaponized payloads include 
websites, removable disks, and emails. This is the most 
important stage where the attack can be stopped by the 
security teams. 

Detect: Endpoint Malware Protection 


Deny: Change Management; Application Whitelisting; Proxy 
Filter; Host-Based Intrusion Prevention System, 
Router ACL, Trust Zone etc 


Exploit- When malicious code is delivered into the 
organization’s system. Exploiting vulnerability by executing 
that malicious code on the victim's system. It means the 
perimeter is breached here. 


Detect: Endpoint Malware Protection; Host-Based Intrusion 
Detection System. 


Deny: Secure Password; Patch Management, Firewall, Trust 
Zones. 

Installation- A backdoor or Remote Access Trojan is 

installed on the target system by the malware that provides 

access to the intruder. This is also another important stage 

where the attack can be stopped using systems such as HIPS 

(Host-based Intrusion Prevention System). 


Detect: Security Information and Event Management 
(SIEM); Host-Based Intrusion Detection System 

Deny: Privilege Separation; Strong Passwords; Two-Factor 
Authentication, Router ACL, Firewall, Trust Zone. 


Command & Control- The attacker gains control over the 
organization’s systems and network. Attackers gain access 
to privileged accounts and attempt brute force attacks, 
search for credentials, and change permissions to take over 
the control. 


Detect: Network Intrusion Detection System; Host-Based 
Intrusion Detection System 


Deny: Firewall Access Control Lists; Network Segmentation 


Actions on Objective- The attacker finally extracts the data 
from the system. The objective involves gathering, 
encrypting, and extracting confidential information from the 
organization’s environment. 

Endpoint Malware Protection, Incident Response, Data Loss 
Prevention; Security Information and Event Management 
(SIEM). 


Type of SOC- 


As per company to company requirement, SOC is defined in 
two categories. 


In House SOC- In house SOC is the SOC of the company, which 
manage the security by it’s own and has it’s own team not 
outsourced. 


Outsourced/MSSP SOC- An outsourced SOC is the SOC of the 
company which security is managed by Managed Security 
Service Provider (MSSP), a kind of service based company ie: 
TCS, Wipro, Accenture etc. who provide security services to it’s 
clients. It can be either Shared SOC or Dedicated SOC. 


e Shered SOC- If security services are being provided to 
multiple clients simultaneously then it is called Shared SOC. 

e Dedicated SOC- If security services are being provided to 
one client dedicatedly then it is called Dedicated SOC. 


OWASP Top 10 Vulnerability- 


OWASP stands for the Open Web Application Security Project, 
is a list of top 10 most common application vulnerabilities. It 
also shows their risks, impacts, and countermeasures. 


1-Broken Access Control 

2-Cryptographic Failures (Sensitive Data Exposure) 
3-Injection 

4-Insecure Design (New) 

5-Security Misconfiguration 

6-Vulnerable & Out-dated Components 
7-Identification and Authentication Failures (Broken 
Authentication) 

8-Software and Data Integrity Failures (Insecure 
Deserialization) (New) 

9-Security Logging and Monitoring Failures (Insufficient 
Logging & Monitoring 

10-Server Side Request Forgery (SSRF) (New) 


Security Information & Event Management 


SIEM (Security Information & Event Management): 


SIEM is a centralized log management tool which collects real 
time logs from network devices, security devices, servers, 
applications, databases etc. 


Once it collects the logs, it normalizes (parsed + Normalizes) 
the logs (means it convert the log from non-readable form to 
readable format) and keeps the logs for long time for audit, 
compliance and forensic purposes. As well as it gives searching 
& reporting feature. It also enables Real time Monitoring. 
Correlation and Alerting feature. 


There are multiple SIEM solutions available in market as 


follows- 
ArcSight - Microfocus 
Splunk - Splunk Inc. 
Qradar - IBM 
ELK Stack - OpenSource etc. 
ARCSIGHT 
ARCSIGHT : 


ArcSight is a well-known SIEM tool managed by vendor 
Microfocus. 


There are major three components of ArcSight. Connector, 
Logger & ESM. 


«e Connector- 


Connector is a component of ArcSight which is 
responsible for collecting the Real Time Logs from 
various devices such as network devices, security 
devices, servers, applications & databases etc. 


Once it collects the logs, it normalizes the log and 
sends it to Logger and/or ESM. ArcSight receives logs in 
Event per Second (EPS). 

Connector is available in both the form as Software 
as well as Hardware. 

Software version of Connector can be install only 
on either Windows version of Servers or CentOS / Red 
Hat Linux version of Linux Servers. Maximum companies 
prefer to install it on Windows Server. 

Hardware Connector device comes on Linux 
platform having 30+ type of preinstalled Connector. 
Hardware Connector name “ConApp’. 


e Logger- 


Logger is a component of ArcSight which receives 
the logs from Connector and keeps it for long time based 
on audit, compliance and forensic requirement. It also 
enables searching and reporting feature. 

It also available in both Hardware and Software 
model. 

We can only install Logger on CentOS or Red Hat 
Linux. 

Logger uses the Oracle database. 


Logger can hold the logs for long time or in years 
(ie: 3 years, 5 years , 10 years, etc.) as per business 
requirement 


e ESM (Enterprise Security Manager)- 


It is a component of ArcSight which can receives 
the log either from Logger or directly from Connector. It 
enables Real Time Correlation and Monitoring & Alerting 
capability. 


ESM also available in both Hardware and Software 
model. Software version of ESM name is ESM-Manager 
and Hardware version of ESM name is ESM- Express. 


ESM uses “CORR” engine database which stand for 
“Correlation, Optimization, Retention and Retrieval 
engine”. Actually base engine is MySQL database. 


ArcSight can receive or supports up to 1 lakh event 
per second. 


Current Version of Connector, Logger & ESM : 


Component Name - Latest Version - Current version in Use 


Connector 8.0 TAS 
Logger 7.0 6.8 
ESM 7.4 7.2 


Type of ArcSight Architecture: 


There are two type of architecture of ArcSight. First one is 
Linear and second one is Dual Destination Architecture. 


e Linear Architecture of ArcSight: 
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In Linear architecture of ArcSight, Logger and ESM 
connects in line. Connector sends logs to the Logger and Logger 
further sends the logs to ESM. 


In case of Logger will down or connection between 
Connector and Logger will down then ESM will not receive logs. 


In Linear architecture of ArcSight, it required single 
bandwidth from the data centre where we have deployed 


connector server to data centre where we have deployed 
Logger & ESM. 


In Linear architecture of ArcSight, we can’t manage the 
Connector from ESM or Logger. 


e Dual Destination Architecture of ArcSight: 
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In Dual Destination architecture of ArcSight, Connector 
sends one copy of logs to Logger and one copy of log to ESM 
parallel. 


In case of Logger will down or connection between 
Connector and Logger will down then ESM will still receive the 
log. In second case if ESM will down or connection between 
Connector to ESM will down then Logger will still receive the 
logs. 


In Dual Destination architecture of ArcSight, 
disadvantage is it will require dual bandwidth from the data 
centre, where we have deployed Connector to data centre, 
where we have deployed Logger & ESM. 


In Dual Destination architecture of ArcSight, Connectors 
are directly reporting to the ESM so we can manage the 
Connectors from ESM itself. 


(Managing the connectors from ESM means we can check 
the Connector status weather Connector is running or down, 
Check the JVM utilization of the Connector as well as EPS of the 
Connector, can stop, restart and upgrade the connector version. 
We can also apply the destination setting of the connector such 


as cache, batching, aggregation, filtering etc. from the ESM 
itself.) 


How to Access ESM: 


There are two ways to access ESM. First one is “ESM 


Console” and second one is “ESM Command Centre”. 


ESM Console- ESM Console is a user interface of the ESM 
using which we can do the Real Time Monitoring, Alerting, 
writing the Correlation rule, report and dashboard etc. 

ESM Command Centre - It is web interface application of 
ESM which generally used to manage the advanced activity 
of the ESM such as adding the storage, creating the storage 
group, setting the retention period and taking the back-up 
and archive. We can access ESM through below mentioned 
path- 


https://<IP address of ESM>:8443 


How Connector Works- 


Whenever Connecter receives the raw logs on its input, it 


does Normalization of the logs (In ArcSight Normalization is 


combination of Parsing and Normalization both. Parsing means 
breaking down the events). 


On its output, it does Caching, Batching, Aggregation 


and Filtering. 


Normalization- Mapping of device specific field set into a 
SIEM specific common field set is called Normalization. In 
ArcSight common field set is called Common Event 
Format(CEF) which has 300+ field sets. 

There is a file in the connector in which it is defined that 
which field of device is mapped with which field of ArcSight, 
that is called Parser file. 


Caching- Cache memory is a temporary memory or storage 
of the connecter. By default it is 1GB and we can increase up 
to 50GB. Connector use Java Virtual Memory (JVM). Default 
JVM is 256 Mb upgradable to 10Gb. 


What are the case when Connector will start the Cache the 
logs in Cache memory. 
1- When Destination (Logger or ESM) is down. 
2- When Destination (Logger or ESM) is un-reachable. 
3- When Connector is overloaded. It happens when more 
logs receives compare to JVM. 


Aggregation- Aggregation is a destination setting of the 
Connector which we apply for the devices which are very 
frequent in sending similar and repetitive event such as 
Firewall, Router etc. 

For Example: If there are 100 events generated by the 
device within a specific time such as 5, 10 or 15 seconds 
(max up to 30 seconds) etc where important fields such as 
Source address, Destination address, Destination Port, 
device action are same. Though instead of sending all 100 
events, Connector will apply aggregation and send one 
event with total count of 100 in that specific seconds ie 10 
second. 

In another case, if specific time (ie:10 
seconds) happened and less than 100 count came (ie: 80 
count) it sends one event with total count of 80. 


Batching- Batching is one of the destination setting of the 
Connector which we apply for the devices which are sending 
different event and slow in sending the events such as 
windows device instead of doing frequent look-up for the 
log by the connecter, we can set connecter to hold and wait 
for the specific set of events and then send. 

For Example: 100 events in 10 Seconds. 


Filtering- Dropping of unnecessary events which are not 
required for security monitoring or forensic purpose is 
called filtering. It can be apply on the Connector level as well 
as Logger level. 


Advantage of applying of Aggregation, Batching and Filtering: 


To optimize Connector resources such as CPU & JVM. 


e To optimize Bandwidth between Connector to Logger and 
Connector to ESM. 

e To optimize storage requirement for the Logger & ESM. 

¢ To optimize License utilization. 


Disadvantage of applying of Aggregation, Batching: 


e No Real Time monitoring because logs will not be coming in 
Real Time due to holding the event for the specific time. 


Disadvantage of applving of Filtering: 


e No such as any disadvantage of Filtering. 


Dual Dest. Arch with High Availability or Failover: 
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It is an architecture of Dual Dest. Architecture with back-up ESM so 
that secondary ESM can take place in case of primary ESM is down. 
So that Real Time monitoring and Correlation will not be impacted. 


Logs which were sent to primary ESM will not be available to 
secondary ESM. If we need to search those logs, we have to search 
that from Logger. 


ArcSight Licensing: 


ArcSight is a licensed product of vendor named Microfocus Inc. 
Logger and ESM both require license. For Connector, license is not 
required. Logger and ESM license both are comes in EPS (Events Per 
Second). 


How to plan for ArcSight License or ArcSight Deployement Planning: 


To plan or buy the license for ArcSight deployment, we 
required below mentioned details- 

1-Device Inventory List- Total device's list which will be 

integrated to SIEM. 


2- EPS Calculation for Logger or ESM- We calculates 
the approx. EPS count based on device’s inventory list or 


total devices. Calculation happens on 24 hour basis 
(means how much EPS generated in 24 hours from 
12:00AM to 12:00AM in midnight). 


For Example: If we find approx. 10000 EPS count then we 
will plan 20% more than total generated EPS for future 
perspective. So in respect of 10k EPS, it will be total 12k. 


3- Log Retention Period- Maximum time for which log 
will be available for searching and reporting for auditing 
or compliance purpose. 

Normally ESM keeps the logs for approximately 60 
days. 


4- Resource Calculation- How much RAM & CPU 
required for Logger & ESM. Minimum RAM requirement 
is 64 Gb but it is recommended to go with 128 Gb RAM 
for ESM. Minimum CPU is required 32 core but 
recommended 64 core of CPU. We should refer Logger or 
ESM support matrix document for resource planning. 


5- Storage requirement - How much GB storage will 
required for calculated EPS for one year. We generally 


use HDD for Logger and SSD for ESM because SSD is 
much faster than HDD. 


6- Connectivity- How much bandwidth with dedicated 
line. 


What will happen when Logger License violated ? 


If Logger license is violated, we will see the warning message 
on the top of the logger console mentioning that “Your Logger license 
has been violated one time in this month. If it continues to violate 
more than 5 times in the month, your logger searching & reporting 
feature will be disabled. Kindly contact Microfocus sales team to 
upgrade your license.” 


What will happen when ESM License violated ? 


ESM license is same as Logger license. Only difference is that 
ESM does not disable any feature even license violated because it is a 
critical device. It only pop up notification of violation. 


Types of Connector:- 


There are two type of Connector. First one is Smart 
Connector and second one is Flex Connector. 


Smart Connector- These Connectors are the standard 
Connectors released by ArcSight for supported devices. Smart 
Connectors have 500+ type of supported devices of different 
vendor's. We can check this supported device in the list named 
“ArcSight Supported product list” released by ArcSight. 


Flex Connector- Flex Connector is customized Connector 
where we have to create our own parser for the unsupported 
device with ArcSight. We can develop it in REGEX (Regular 
Expression) or in XML. 


Another way is to raise F.R.(Feature Request) 
to ArcSight support team to create the connector for particular 
device. 


Log Format:- 


There are two types of Log format. First one is 
Windows Log Format and second one is Syslog Format. 


Windows Log Format- Logs generated by windows System or 
Windows Server. For windows devices, Connector will login 
and uses Pull Mechanism to fetch the logs because windows 
devices do not send logs by itself. 


Syslog Format- Linux, Unix or IOS systems and servers or 
devices which are hosted on these platform will support Syslog 
format and work on Push Mechanism. In that case, we have to 
configure IP address and port no of Connector on the syslog 
device and it will start forwarding the logs to the Connector. 


How to Integrate Windows Device to ArcSight:- 


In order to receive the Log on SIEM, doing the required 
configuration on the device end as well as on the SIEM end, is 
called device integration/ data source or device on boarding. 


We can install windows connector for integrating 
windows-based device. 


There are two types of Windows Connector 


1. Microsoft Windows Event Log- Unified 
2. Microsoft Windows Event Log- Native 


The major differences between these connectors are- 


e Performance wise Microsoft Windows Event Log-Unified 
Connector is better than Microsoft Windows Event Log- 
Native Connector. 

e Unified Connector can be installed on both platform 
Windows OS as well as Linux OS while Native Connector can 
be install on Windows platform only. 

e We can’t modify the parser file in Windows Unified 
Connector while we can modify the parser file to an extend 
in Native Windows Connector. 

e Approx. 95% of the devices can be integrated with Microsoft 
Windows Event Log-Unified Connector. 


Steps to Windows Device Integration- 


Step1: 
First of all, we need to find out all devices we are going to 


integrate with ArcSight SIEM using the Device Inventory 
Document with all details i.e.: device locations. 

Step2: 
We have to install Windows Connector. 
Only one setup file is available from the Microfocus for all 
the connectors. Download the ArcSight setup and install, 
then select the appropriate connector specific to the end 
device. 


Step3: 
Enable the connectivity between the Connector Server 


and the End Windows Devices. We can check the 
connectivity by ping command. 

Step4: 
Port Number SMB 445 (TCP), Should be enabled. Then 
only windows connectors can pull the logs. 


Step5: 
Required Service account with non-expiry password of 


each and every windows server and it should have at 
least read only access to the event viewer so that 
Connector can login and pull the log. 

Step6: 
Audit should be enabled on the end windows systems so 
that it can generate the logs and record it to the event 
viewer. 

Step7: 
Remote Procedure Call (RPC) service should be running 
on the end windows devices that we want to integrate. So 
that the Connector can pull the log from devices. 

Steps: 
Launch the connector that you installed and enter the IP 
Address/Host Name of the security Device that needs to 
be connected. 


Step9: 


Login to the domain service account by entering user 


name and password. 


Step10: 


Select the OS and click on next. Once we click on the next 
it will check the parameters, like whether (TCP - SMB 
port number 445 is open or not in firewall, RPC service is 
enabled in end device or not and Audit is enabled or not 
in end device). If any parameter is not valid the it will 
generate the error "Parameter Validation Failed". 


Step 11: 


Finally, In order to verify whether devices are sending 
logs or not For that, Login into ESM and Logger, then give 
the query-“Device Address= <IP Address of the End Device>” 


Windows Connector Installation Step by Step:- 


1- Launch the connector 
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Introduction 


The ArcSight Installer will guide you through the installation 
of the ArcSight SmartConnector. 


The first step installs the core ArcSight SmartConnector 
components; then you select the ArcSight SmartConnector 
you wish to configure 


ArcSight recommends that you quit all other programs 
before continuing with this installation. 


Click the ‘Next’ button to proceed to the next window. 
If you want to change something on a previous window, 


click the ‘Previous’ button. To cancel this installation at 
any time, click the ‘Cancel’ button. 


Previous Next 


Choose Install Folder 


Please choose the installation folder. It is recommended that you 
choose the folder name according to the device that you want to 
connect to, for example /ciscoids or /checkpointng. If you are 
upgrading from a previous version, please select the folder where the 
ArcSight SmartConnector is currently installed. 


Where Would You Like to Install? 
C:MrcSightiWindows 


Restore Default Folder Choose... 


Previous Next 


Install. 


3- Keep as default below and select Next and then 


EJ ArcSight SmartConnector 
X ArcSight OYERE 


{v Introduction 
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{v Choose Install Set 

-> Pick Shortcut Folder 

@ Pre-install Summary 
@ installing... 

@ Upgrade 

@ System Restart 

@ install Complete 


— x 
Pick Shortcut Folder 


Where would you like to create product icons? 


@ In a new Program Group: ArcSight SmartConnectors 

O In the Start Menu 

© On the Desktop 

CO In the Quick Launch Bar 

Choose... 


© Other. 


© Dont create icons 


C Create Icons for All Users 
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Please Review the Following Information Before Continuing: 


Product Name: 
ArcSight SmartConnector 


Install Folder: 
C:MrcSightiWindows 


Shortcut Folder: 
C:\Users\AMITUppDatal\RoamingWicrosoftWindows\Star Menu\Prc 


Previous 


Installing ArcSight SmartConnector 


ArcSight SmartConnectors 


SmartConnectors intelligently collect, process and 
manage the transmission of event data to ensure 
complete, high-performance information processing 
ArcSight's built-in intelligence helps you filter and aggre- 
gate all the events in your enterprise, enabling Smart- 
Connectors to deliver only those security events that 
merit investigation 


Extracting duplicates... 
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4- Select “Add a Connector”. 


EJ connector Setup = Oo x 


What would you like to do? 


X ArcSight 


Configure 


@) Add a Connector 


CO Set Global Parameters 


Select Type as “Microsoft Windows Event Log-Unified’. 


EJ Connector Setup — (m) 


Select the connector to configure 


< ArcSight 


Configure 


Type Microsoft Windows Event Log - Unified v 
icrosoft Network Policy Server File 
[Microsoft Office 365 
Microsoft SharePoint Server DB 
icrosoft SQL Server Multiple Instance Audit DB 


icrosoft System Center Configuration Manager DB 
Microsoft System Center Operations Manager DB 
icrosoft Windows Event Log - Native 
Microsoft Windows Event Log - Unified 


< Previous Cancel 
5- Leave default as below. 


EJ Connector Setup 


Enter the parameter details 


X ArcSight 


Forwarded Events Collection Disabled - 
Configure 


Domain Name 

Domain User Name 

Domain User Password 

Active Directory Server 

Active Directory Base DN ou=<Organizational Unit>,dc=<Domain Component>, 
Active Directory Filter (&(cn =*)(operatingsystem =*)(whencreated=*)) 
Active Directory User Name 

Active Directory User Password 

Active Directory Protocol non_ssl ~ 
Active Directory Port 389 

Active Directory Max Page Size 300 

Global Catalog Server 

Global Catalog Base DN 

Global Catalog User Name 

Global Catalog User Password 


<Previous canca 


6- Select “Enter Device Manually” 


i = | Connector Setup me o x 


Select how you want to browse for devices 


X ArcSight 


Configure 


Type Enter Devices Manually v 


Windows Host Br 


Enter Devices Manually 


Cancel 
7- Enter device details then Next. 
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8- Select destination as “ArcSight 
Manager{Encrypted)” or “ArcSight Logger 
SmartMessage(Encrypted)” as per requirement. 


E Connector Setup — o 


Enter the type of destination 


X ArcSight 


Configure 


@ ArcSight Manager (encrypted) 

O ArcSight Logger SmartMessage (encrypted) 

O ArcSight Logger SmartMessage Pool (encrypted) 
O CEF File 

O Event Broker 

O CEF Syslog 

O CEF Encrypted Syslog (UDP) 

O CSV File 


O Raw Syslog 


<Previous Cancel 


9- Enter ESM Manager details. ie: hostname, user and 
password. 


=] Connector Setup 


Enter the destination parameters 


< ArcSight 


Configure 


Manager Hostname arcsight.siemxpert.com 
Manager Port 8443 

User admin 

Password eosce 


AUP Master Destination false 
Filter Out All Events false v 
Enable Demo CA false 


<Previous cence 


10- Enter Connector information. 


EJ connector Setup 


Enter the connector details 


<0 ArcSight 


Configure 


Name Windows 
Location Banglore 
DeviceLocation Banglore| 


Comment 


<Previous 


Will receive summary like below. 
Ei Connector Setup 
X ArcSight Add connector Summary 


E i Following are the added connector details: 
ea Connector Name [Windows ], Connector Type [windowsfg] 


11- Select “Install as a Service’. 
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>=] Connector Setup 


X ArcSight The Smart Connector is currently installed as a standalone application 


Configure 


@ Install as a service 


O Leave as a standalone application 


< Previous Cance! 


Specify the parameters as below then Next and then 
Exit. 


Ei Connector Setup 


X ArcSight Specify the service parameters 


Configure 


Service Internal Name windowsfg 


Service Display Name 


| Start the service automatically Š 


< Previous 


Connector is installed successfully. 


12- 
then start as below. 


Microsoft Windows Event Log - Unif 


Now Check weather service is start or not. If not 
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Windows Connector Uninstallation Step by Step: 


1. Stop the Connector Service by navigating 
Search box -> type Services -> Click on Services 
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Select service ArcSight Microsoft Windows Event Log - Unified -> 
right click -> click Stop to stop running service. 
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Displays Help for the current selection. 


Æ Type here to search 


2. Browse connector folder where it is installed ie: C:\ drive -> 
current -> bin -> right click on runagentsetup batch file -> select 
Run as administrator. 
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d Cut Moneta « Edit FB select a 
aay (Ee copy pat B Print Select none 
ne Copytoy & 
@ Run as administrator BF Invert selection 


[2] Paste shortcut 
Clipboard Organi? @ Share with Skype Seka 
2] 


Re ~ a [Bl « Windows > current > bin > {H Scan with Microsoft Defender... 
Edge \@ Share 


Name Restore previous versions 
oe Quick access ee 
| agent 
IB Desktop n 
E installer 
Download: 7 
Ẹ Downloads fis 


=| Documents E scripts 


© Pictures B wrapper Create shortcut 
F Syslog E] arcsight Delete atch File 
F System32 checklgnoreJar Rename atch File 


; — F File 
[E Windows Connecto — enai Properties e 
L runagentsetup atch File 


wwwroot 


@ OneDrive 
E This PC 
È Network 


< 


Qitems 1item selected 104 bytes 


18:33 


Je? Type here to search TRI RS 19-10-2021 


Here ArcSight Agent Setup window will appear. 


Now select Uninstall as a service -> Next 


Connector Setup 


iiis 5 
x ArcSight What would you like to do? 


Configure 


O Modify Connector 
@ Uninstall as a service 
O Set Global Parameters 


O I do not want to change any setting 


Sitems litem selected 104 bytes 


t} os a ol ras 9 
P Type here to search ~ 2C AGA) ENG yom A 


Uninstall as a service is mandatory to remove services before 
connector uninstallation skip getting error while reinstallation. 
Here, we will get successfully Uninstallation message of ArcSight 
connector service. 


EJ connector Setup — oO x 


X A rcSig ht Uninstall Service Summary 


Configure The ArcSight SmartConnector service has been successfully removed. 


Now you can run the SmartConnector as a standalone application 


canci 


Click on Next 


EJ Connector Setup = oO x< 


i 7 <a r -iii 
X ArcSight Would you like to continue or exit? 


Configure 


© Continue 


© Ext 


<Previous = 


Finally click on Exit-> Next 


3. Now verify that connector service is removed and does not exist 
anymore in Windows Services. 


4. Browse connector folder where it is installed -> current -> current -> 
UninstallerData -> right click on Uninstall_ArcSightAgents 


application file -> select Run as administrator. 
MMe 


Manage UninstallerData — oO x 
Home Share View Application Tools (2) 
/ rR. > < M 
pc B Moveto~ > Delete ~ I - va [az] Open Œ paeda 
4 w Copy path 5 dae Edit Select none 
Pin to Quick Co Paste B - œp New Properties 
; a rese a [#} Paste shortcut B copio F Rename folder p © History a8 Invert selection 
Clipboard Organize New Open Select 
e - a a << current > UninstallerData v iJ) Search UninstallerData 
Name Open Size 
a Quick access 9 Run as administrator 
resource z 
E Desktop © Share with Skype = 
=) .com.zerog.registry ee me 221 KB 
I p troubleshoot compatibili ias 
F Downloads ] InstallScript.iap_xml ži y 395 KB 
ra > $ : Pi E 
=] Documents ] installvariables.properties IWS KB 
=) Pictures Uninstall_ArcSightAgents S>] Scan with Microsoft Defender... | 540 KB 
x 2 = 
B Syslog Uninstall_ArcSightAgents 12 Share 3 KB 
System32 ] Uninstall_ArcSightAgents.lax Pin to taskbar 5 KB 
= Restore previous versions 2,901 KB 
|| Windows Connecto ] aaee eee 
a jot Send to > 
Cut 
@ OneDrive 
Copy 
E This PC 
Create shortcut 
ə Network Delete 
z Rename > 
Sitems 1 item selected 540 KB Properties = 


Uninstall ArcSight SmartConnector 


== x 
X ArcSight Focus Uninstall ArcSight SmartConnector 
> Introduction About to uninstall... 
@ Uninstalling... 
@ Uninstall Complete ArcSight SmartConnector 


This will remove features installed by InstallAnywhere. It will not remove 
files and folders created after the installation. 


Cancel Previous Uninstall 


Select Uninstall-> Done 


We will get successfully Uninstallation message of ArcSight 
connector. 


Ef Uninstall ArcSight SmartConnector 


= x 
X ArcSight Fucus 


FOCUS Uninstall Complete 
v Introduction 


¥ Uninstalling.. 
-> Uninstall Complete 


All items were successfully uninstalled. 


InstallAnywhere 


Also all the files & folder will be deleted automatically as in 
below screenshot. 


[[R Windows-10-x64 


Cut lri O 
% Cu New item ~ pen Select all 
xX E v a 
w Copy path F] Easy access ~ J Edit Select no 
Pin to Quick Cop: Past Move Copy Delete Rename New Properties o 
aaess [Ē] Paste shortcut to to 5 folder ~ \@History gP invert sel 
Clipboard z New Open Select 
e k my > ThisPC > Local Disk(C:) > ArcSight > Windows > current > UninstallerData v & 
Name Date Type 
Æ Quick access 


E Uninstall_ArcSightA... 19-10-2021 16:58 
E Desktop - 
&} Downloads 


=| Documents 


Size Tags 


==] Pictures 
a Syslog 
|) System32 
E Windows Connecto 
E wwwroot 
@ OneDrive 
E This Pc 


EÈ Network 


1 item 


After all, we can delete residual files & folder from main folder of 
connector. Uninstallation of all the connector will be same like this. 


Relaunch Windows Connector to add new device Step by Step:- 


1- Go to the folder where the connector gets installed (Here, 
C:\ArcSight Connectors) and visit below path 


C:\ArcSight Connectors\Windows \current\bin 


2- Choose the last setup file (runagentsetup) -> Right Click 
--> Runs as administrator 


6 ~ | > ThisPC » Local Disk (C:) » Arcsight Connectors » Windows » current » bin > 


W Favorites 
BB Desktop 
B® Downloads 
= Recent places 


W This PC 
ie Desktop 
F Documents 
& Downloads 
BD Music 
$ Pictures 
H Videos 
É Local Disk (C:) 


3- Select “Modi 


Name 


d agent 

L installer 

E ns 

d scripts 

d wrapper 

P arcsight 

Y checkignoredar 
® regutil 


EN runagentsetup 


€ ” tie 
Assuming A 


Wr Favorites ing J 


GHT_HOME: x ArcSight 


HOME: C:\A 


BB Desktop ArcSight Agent Setup sta 
UB Downloads Sonnector Setup Wi 


2 Recent places bor... 
(® This PC 
pm Desktop 
LD Documents 
Bp Downloads 
BD Music 
È Pictures 
F] Videos 
Ib, Local Disk (C:) 


(Thu Oct 14 88:59: 


& Network 


a 


fy connector” 


Configure 


Date modified Type Size 
AM le 
M lef 
A le e 
M le folde 
2 JAM File folde 
M 3 ile 


9 AM 


h File 


10/13/2021 8:40AM Windows Batch File 


What would you like to do? 


® Modify Connector, 


Uninstall as a service 
Set Gobal Parameters 


1 do not want to change any setting 


4- Select “Modify Connector Parameters” 


X ArcSight 


Configure 


What would you like to do with the connector? 


© Modify connector parameters 


Add, modify, or remove destinations 


1KB 


EJ Connector Setup 


Enter the parameter details 


X ArcSight 


Configure 


Forwarded Events Collection Disabled x 
Domain Name 

Domain User Name 

Domain User Password 

Active Directory Server 

Active Directory Base DN ou=<Organizational Unit>,dc=<Domain Component>, 
Active Directory Filter (&(cn = (operatingsystem =") (whencreated=*)) 
Active Directory User Name 

Active Directory User Password 

Active Directory Protocol non_ssl x 
Active Directory Port 389 

Active Directory Max Page Size 300 

Global Catalog Server 

Global Catalog Base DN 

Global Catalog User Name 

Global Catalog User Password 


<Previous cence! 


>] Connector Setup 


Select how you want to browse for devices 


< ArcSight 


Configure 


Type Enter Devices Manually {v 


Windows Host Browser 


Enter Devices Manually 


E Connector Setup = a x 


Enter the device details 


X ArcSight 


Configure 


Domain Name Host Name User Name Password SecurityLogs SystemLogs Application Custom Log Names Microsoft OS Version locale 


domain.com WinServer Aa Windows Server 2012R2 en_US 


Windows Server 2003 


en_US 


Here we can add devices. 


Relaunch Windows Connector to add logger as dual 
destination Step by Step:- 


1- Go to the folder where the connector gets installed (Here, 
C:\ArcSight Connectors) and visit below path 


C:\ArcSight Connectors\Windows \current\bin 


Choose the last setup file (r'unagentsetup) > Right Click > 
Runs as administrator 


e ~ Aid > ThisPC > LocalDisk(C:) » Arcsight Connectors » Windows » current » bin > 
a 

W Favorites 

BB Desktop E agent 

d Downloads d installer 

=| Recent places A nss 

d scripts 

W This PC J wrapper A 

pe Desktop 4) arcsight 

F Documents E checkignoredar 

d Downloads $) regutil 202 f Ba 
J Music $ runagentsetup 10/13/2021 8:40 AM Windows Batch File KB 
© Pictures 

B Videos h 

i Local Disk (C:) 


2- Select “Modify connector’ 


A What wouid you like to do? 
HT_HOME: X ArcSight 
Sr Favorites oi A 
E Desktop Configure 
Tè Downloads or 


im Desktop 
LD) Document © Modig Conmector 
Download: k 
-g z Jrinstăl as a service 
iiic 
E Pict Set Gobal Parameters 
+ 
TE Videos I do not want to change any setting 
i Local Disk (C:) 
C Network 
| [_<Prevovs_| (ines 


3- Select “Add, Modify, or remove destinations” 


| = | Connector Setup 


-X ArcSight 


Configure 


What would you like to do with the connector? 


O Modify connector parameters 
© Add 


lif, OF remove c 


<Previous Cancel 


EJ Connector Setup 


= ArcSight Modify an existing destination or add a new destination 


Configure 


O CSV File {CSV Path=C: \Users\AMIT Desktop Windows, Fields =event.deviceRec 


<Previous Cancel | 


4- Enter Logger details IP and Receiver name same as mentioned 


in Logger. 


EJ Connector Setup — oO Xx 
= ArcSight Enter these parameters 
Configure 
Host Name/IP #Logger IP 
Port 443 
Receiver Name =vindows_Banglore 
Compression Mode Disabled v 


CEF Version 0.1 


Click Next, Will receive summary like below. 


| The following connector(s) have been updated 
| x ArcSight Container [Container 1 /locathost:10001] 
| Connector [Windows] 
Configure 
with following primary destination 
loggersecure {Host Name TP=192,168,0.119,Port=443,Receiver Name=Windows_Riyadh, Compression Mode=Disabled,CEF Version=0,1) Windows 
[CNet Cancel 
= oO x 


| = | Connector Setup 
<= ArcSight Would you like to continue or exit? 


Configure 


© Continue 


Syslog Daemon Connector Installation Step by Step:- 


1- Launch the connector setup file as “Run as administrator’. 
ArcSight SmartConnector SA = 
Introduction 


<= ArcSight Facts 
-> introduction 
@ Choose Install Folder 
@ Cnoose install Set 
@ Pick Shortcut Folder 
@ Pre-install Summary 
@ installing 
@ Upgrade 
@ System Restart 
@ install Complete 


Installa ere 
Cancel 


The ArcSight Installer will guide you through the installation 
of the ArcSight SmarConnector 


The first step installs the core ArcSight SmanConnector 
components: then you select the ArcSight SmamnConnector 
you wish to configure 


ArcSight recommends that you quit all other programs 
before continuing with this installation 


Click the Wet button to proceed to the next window 
if you want to change something on 3 previous window, 


click the ‘Previous’ button To cancel this instailation at 
any time, click the “Cancel button 


R 


2- Select the path where we want to install the syslog connector. 


<< ArcSight 


@ee0e000.< 


introduction 

Choose Install Folder 
Choose Install Set 
Pick Shortcut Folder 
Pre-install Summary 
Installing 

Upgrade 

System Restart 
install Complete 


| = | ArcSight SmartConnector 


X ArcSight CIPLESS 


COCO. << 


Introduction 

Choose Install Folder 
Choose Install Set 
Pick Shortcut Folder 
Pre-install Summary 
Installing... 

Upgrade 

System Restart 
Install Complete 


Choose Install Folder 


Please choose the installation folder. Itis recommended that you 
choose the folder name according to the device that you want to 
connect to, for example /ciscoids or /checkpointng. if you are 
upgrading from a previous version, please select the folder where the 
ArcSight SmartConnector is currently installed 


Where Would You Like to Install? 
CAarcsight Connectors\Sylog] 


F Restore Default Folder | Choose... 


— x 
Pick Shortcut Folder 


Where would you like to create product icons? 


@ In a new Program Group: ArcSight SmartConnectors 

O In the Start Menu 

© On the Desktop 

© In the Quick Launch Bar 

Choose 


© Other: 


© Dont create icons 


O Create Icons for All Users 


Previous 


X ArcSight Pre-install Summary 


v Introduction Please Review the Following information Before Continuing: 
v Choose Install Folder 
v 
v 


Product Name: 


Choose Install Set ArcSight SmarnConnector 


Pick Shortcut Folder 
> Pre-install Summary install Folder: 
Ar ht Conn rs\Syt 
@ installing CAresight Connectors\Sytog 


@ Upgrade Shortcut Folder: 
@ System Restart CwWsers\AdministratornAppDatalRoamingWicrosomwindows\Star I 


@ install Complete 


Ef ArcSight SmartConnector a x 
X ArcSight OPLERS Installing ArcSight SmartConnector 


v Introduction 
v Choose Install Folder 


¥ Choose Install Set 
v Pick Shortcut Folder SmartConnectors intelligently collect, process and 


manage the transmission of event data to ensure 
complete, high-performance information processing 
ArcSight's built-in intelligence helps you filter and aggre- 
gate all the events in your enterprise, enabling Smart- 
Connectors to deliver only those security events that 
merit investigation 


ArcSight SmartConnectors 


v Pre-install Summary 
> Installing... 

@ Upgrade 

@ System Restart 

@ install Complete 


Extracting duplicates... 


InstallAnywhere 


= r 


4- Select “Add a Connector”. 


EJ Connector Setup = o x 


What would you like to do? 


X ArcSight 


Configure 


@ Add a Connector 


© Set Global Parameters 


Select Type as “Syslog Daemon”. 


Select the connector to configure 


X ArcSight 


Configure 


ymantec AntiVirus Corporate Edition File 
ymantec AntiVirus Corporate Edition Multiple Fie 
ymantec Data Center Security 08 

ymantec Endpoint Protection DB 


5- Fill IP address, port no and protocol then Next. 


Enter the parameter details 


< ArcSight 


Configure 


Network Port 514 I 
IP Address (AU) 
Protocol uoP 


Forwarder false 


Port where syslog will listen for incoming messages 


6- Select the destination where log has to be sent. 


Enter the type of destination 


X ArcSight 


Configure 


© ArcSight Manager (encrypted) 

D ArcSight Logger SmartMessage (encrypted) 
ArcSight Logger SmartMessage Pool (encrypted) 

D CEF File 


D Event Broker 


CEF Sysog 
CEF Encrypted Syslog (UDP) 


D CSV File 


Raw Syslog 


Enter the destination parameters 


<0 ArcSight 


Configure 


Manager Hostname 
Manager Port 

User 

Password 

AUP Master Destination 
Filter Out All Events 
Enable Demo CA 


7- Enter connector details. 


Enter the connector details 


<0 ArcSight 


Configure 


Name Sysiog 
Location New York 
DeviceLocation New York 
Comment 


Following certificate will be imported into connector trust store: 
X ArcSight Hostport: arcsight.siemxpert.com_8443 
Details: CN=arcsight siemxpert.com, OU=ESM, O=Arcsight, L=95014, ST=CA, C=US 
Configure 


©) Import the certificate to connector from destination 


Do not import the certificate to connector from destination 


R 


Add connector Summary 
X ArcSight Following are the added connector details 
Connector Name [Syslog], Connector Type [syslog] 


Configure 


8- Select “Install as a service’. 


The Smart Connector is currently installed as a standalone application 


< ArcSight 


Configure 


© Install as a service 


J Leave as a standalone application 


9- Specify the service perimeters as default below. 


Specify the service parameters 


X ArcSight 


Configure 


Service Internal Name 
Service Display Name 


Start the service automatically 


Install Service Summary 


< ArcSight 


Configure 


The ArcSight SmartConnector is now configured to run as a service. 
You can now start the SmartConnector by: 
Going to the services application and starting the service: 


ArcSight Syslog Daemon 


10- Click on Continue to select Logger also. 


Would you like to continue or exit? 


X ArcSight 


Configure 


Select Modify Connector 


What would you like to do? 


<0 ArcSight 


Configure 


@ Modify Connector 
> Uninstall as a service 


Set Gobai ameters 


I do not want to change any setting 


Select “Add, modify or remove destinations”. 


What would you like to do with the connector? 


X ArcSight 


Configure 


O Modify connector parameters 


® Add, an or remove destmatons 


Select “Add destination”. 


Modify an existing destination or add a new destination 


< ArcSight 


Configure 


) Manager {Manager Hostname =arcsight.ssemxpert.com,Manager Port=8443,User =null, AUP Master De 


Select “ArcSight Logger SmartMessage (encrypted)”. 


Enter the type of destination 


X ArcSight 


Configure 


ArcSight Manager (encrypted) 

ArcSight Logger SmartMiessage (encrypted) 

ArcSight Logger SmartMessage Pool (encrypted) 
D CEF File 


D Event Broker 


CEF Sysiog 


CEF Encrypted Syslog (UDP) 
> CSV File 


Raw Syslog 


Enter these parameters 


X ArcSight 


Configure 


Host Name/iP 192. 168.0.119 
Port 43 
Receiver Name 

Compression Mode 

CEF Version 


[=] Connector Setup 


X ArcSight Performing add destination 


Confi gure - Destination parameters {cefver=0.1, port=443, host=192.168.0.119, 
rcvrname=Syslog, compression=Disabled} 


- Connector Syslog:syslog 


Regstering the destmation 
© Regpstering the primary destraton for Fsyslog:sysiog://Detatt{ocathost/Container 3] 


ov 


Select “Import the certificate”. 


= Connector Setup = jaj x 
Following certificate will be imported into connector trust store: 
`X ArcSight Host/port: 192.168.0.119_443 
Details: EMAILADDRESS~=arst-support@microfocus.com, CN=localhost localdomam, 
Configure OU=Support Team, O=Micro Focus, L=Sunnyvale, ST=California, C=US 
Syslog 


[>>] Importing cer thcate, registering destination and restarting the container 


Oe 


The following connector(s) have been updated 
X ArcSight 
Container [Container 1/localhost:10050] 
Configure Connector (Syslog) 
with following primary destination 


loggersecure {Host Name/IP=192.168.0.119,Port=443 Receiver 
Name=Syslog,Compression Mode=Disabied,CEF Version=0.1} Syslog 


Would you like to continue or exit? 


< ArcSight 


Configure 


11- Start the Syslog Daemon service. 


| File Action View Help 


| EE 


Description 


Gh Services (Local) || Name G Status Startup Type Log.” 
Ss App Readiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps. Manual Local 
wf Application Experience Processes application compatibility cache requests for applications as they are launched Running Manual (Trig. Local 
“4 Application Identity Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. Manual (Trig... Local = 
Sh Application Information Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will... Running Manual (Trig. Local 
‘Application Layer Gateway Service Provides support for 3rd party protocol plug-ins for Internet Connection Sharing Manual Local 
‘A Application Management Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabl... Manual Local’ 
Sa ArcSight Microsoft Windows Event Log - Unified ArcSight Microsoft Windows Event Log - Unified Running Automatic Local 

| cat 
Ch Background Intelligent Transfer Service tole 9 idle network bandwidth, If the service is disabled, then any applications that depend o.. Running Manual Local 
Sh Background Tasks Infrastructure Service Windows SO% ontrols which background tasks can run on the system. Running Automatic Local 
Gh Base Filtering Engine The Base) Pause vice that manages firewall and Internet Protocol security (IPsec) policies and implement... Running Automatic Local 
Gh Certificate Propagation Copies u Raisi ficates from smart cards into the current user's certificate store, detects when a smart car. Running Manual Local 
SA CNG Key Isolation The CNG Seen td in the LSA process, The service provides key process isolation to private keys and asso... Manual (Trig... Local 
Sh COM- Event System Supports ervice (SENS), which provides automatic distribution of events to subscribing Compone... Running Automatic Local 
CA COMe System Application Manages, All Tasks + ing of Component Object Model (COM)+-based components. If the service is stopped, „u Manual Local 
‘4 Computer Browser Maintain Refresh brs on the network and supplies this list to computers designated as browsers. If this servi... Disabled Local 
Ch Credential Manager Provides | of credentials to users, applications and security service packages. Manual Local 
Sh Cryptographic Services Provides | paths | Catalog Database Service, which confirms the signatures of Windows files and allows ne... Running Automatic Netwe 
CA DCOM Server Process Launcher TheDCO Help COM and DCOM servers in response to object activation requests, If this service is stopp.. Running Automatic Local 
‘A Device Association Service Enables pairing between the system and wired or wireless devices. Manual (Trig. Local 
C Device Install Service Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service... Manual (Trig... Local 
‘a Device Setup Manager Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configu... Manual (Trig... Local 
SA DHCP Client Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive... Running Automatic Local 
‘A Diagnostic Policy Service The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components, If this se... Running Automatic (D. Local 
S Diagnostic Service Host The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service co... Manual Local 
‘yh Diagnostic System Host The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System co... Manual Local 
‘ Distributed Link Tracking Client Maintains links between NTFS files within a computer or across computers in a network, Running Automatic Local 
“A Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this s. Running Automatic (0... Netwe 
C ONS Client The DNS Client service (dnscache) caches Domain Name System (ONS) names and registers the full computer name for this c. Running Automatic (T. Netwe 
y $ Fnenmntinn Fila Sustem FFS). Dinvides the core file enenntinn technalony. be to store encrunted filas on NTFS file evetem volumes if thie carice ic tann, Manual (Tria I ao M 


Start service ArcSight Syslog Daemon on Local Computer 


How to Integrate Syslog Devices to ArcSight:- 
Step 1 


Check in “ArcSight supported product list” of Microfocus, 
whether the integrating device is supported by the ArcSight 
or not. 


Link for ArcSight supported product list document: 
https://www.microfocus.com/media/flyer/arcsight_connec 


tor supported products flyer.pdf 


Step 2 


If the device is supported by the ArcSight, then download 
the device integration document for the specific device. 


Device Integration Document will give the below 
information: 


e Versions of devices it supports. 

e Name of the Connector. 

e How to install or configure connector. 

e What kind of configuration has to be done on the end 
devices which we are going to integrate. 


If the device is not supported by ArcSight then we have to 
go with Flex Connector. 


Step 3 


Install the respective Syslog connector on connector server 
which is mentioned in the Device Integration Document. 


It can be either Default Syslog Daemon Connector or Syslog 
Dedicated Connector. 


Then, Configure the Port number and Protocol on the 
Connector. So that the connector can listen the logs from 
the devices. 


Protocol: UDP — It is unreliable 


We can also use TCP, if the server can support high 
bandwidth. The advantage of using TCP is, it offers a 
guaranteed delivery of data packets (Logs). So, TCP is more 
reliable than UDP. 


Port Number: 514 (Default Port Number), 
515,516,517,518,519 Then after 1024 (since 0 — 1023 are 
reserved ports) 


Note: If you configured port number 514 to one of 
the Syslog connectors on the server, then you cannot use 
the same port number to configure the next Syslog 
connector, you should provide any other port number 
which is mentioned above 


Step 4 


Step 5 


Step 6 


Step 7 


Enable the connectivity between the End Device and the 
Connector server. 


Here we can use the ping command to check the 
connectivity on both directions. 


Make sure that the respective Port Number is open 
between end device and connector server if there is a 
firewall in between. 


If it is not open then we can contact firewall team to 
open the port number that we configured on the connector 
(514......519, or 1024 +) 


Configure the connector server details such as IP address, 
Port number and protocol on the End Device in order to 
forward the logs. 


These things we can send to the respective end device 
configuration team, along with the steps to configure the 
end devices; it is called Log Baseline Document. 


The final step is to verify whether the logs are coming or 
not. 


This can be done by logging into the Logger and ESM, then 
enter the query 


“ Device Address= <IP Address of the End Device> ” 


Configuration on linux devices side:- 


Step 1- 


We need to follow the below process to configure logs 
forwarding from device to connector. 


We have to find out which kind of syslog is running. There 
are three types of syslog. One of the following syslog might 
be available on your system. 


e syslogd 

e rsyslogd 

e syslog-ng 
Step 2 1- Login as “root” user. 


2. “ps -elf | grep -i syslog” will show which syslog is running 


on system. 
McAfee-ETM-VM4 ~ # ps -elf | grep -i syslog 
5 S root 678 1 0 80 0 - 691 poll s Aug06 ? 00:00:09 syslogd 


Figure 1. Example of a system where “syslogd” is running. 


Croot@localhost ~ S >.1f | grep i syslog 
p Q 


5 S root 80 0 62272 poll_s 18:87 7? 
/rsyslogd i /svar/7run/syslogd.pid 


1ct@db - vm:~ 
O S root 


O S ict 3 334 O 9 O - 3555 pipe w 10 
ict@db-vm:~$ 


igure 3. Example of a system where “syslog-ng” is runnine 
Fig $ E ple of a system whe log-ng iNe 


Step 3 Depending on type of syslog availability follow one of the 
instructions below to find out the location of configuration 
file of syslog. (Optional step, if configuration file is not in 
standard path) 


i. find / -name “syslog.conf” 


McAfee-ETM-VM4 ~ # 
/etc/syslog.conf 
McAfee-ETM-VM4 ~ # ff 


ind / 


-name “syslog.cont” 


ii. find / -name “rsyslog.conf” 


[root@localhost ~1]# find 7 -name rsyslog.conf 
/usr/sharey/dvacutsmodules .d/98sys log7rsys log .conf 
/eto/rsys log .conf 


[root@locathost “I _ 


iii. find / -name “syslog-ng.conf” 


ict@db-vm:~$ sudo find / -name “syslog-ng.conf" 
[sudo] password for ict 


etc/syslog-ng/syslog-ng.conf 


Step 4 Following one of the instructions below is configuration 
depending on syslog availability of the system. 


a. For syslogd 
i. Log on to the Linux device as “root” user. 


ii. | Enter the command - vi /etc/syslog.conf to open the 
configuration file called syslog.conf. 


iii. | Enter *.* and press the Tab key and enter the name 
of the host machine where the server is running. 


* * @@10.0.12.164 


iv. /etc/rc.d/init.d/syslog restart 


b. For rsyslog 
i. Log on to the Linux device as “root” user. 


ii. | Enter the command - vi /etc/rsyslog.conf to open the 
configuration file called rsyslog.conf. 

iil. * * @@10.0.12.164:514 

iv. service rsyslog restart 


c. For syslog-ng 
i. Log on to the Linux device as “root” user. 


ii. Enter the command - vi /etc/syslog-ng/syslog-ng.conf 
to open the configuration file called “syslog-ng.conf” 
to add following lines. source s_local { system(); 
internal(); } — destination siem_host_tcp { 
network("10.0.12.164" transport("tcp") port(514)); }: 
log { source(s_local); destination(siem_host_tcp) } 


iii. service syslog-ng restart 


Connector Upgradation Step by Step 


To upgrade connector locally, we will follow below steps 


Step 1: Stop the running connector and run the new Smart 
Connector installer as “Run as administrator”. The 
installer prompts you for the location to install the 
connector. 


File Action View Help 
+ mae Bm »e n 


Ch Services (Local) || Name s Description Status Startup Type 
| <$ App Readiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps. Manual 
Application Experience Processes application compatibility cache requests for applications as they are launched Running Manual (Trig... 
Š Application Identity Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. Manual (Trig... 
“i, Application Information Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will... Running Manual (Trig... 
| sà Application Layer Gateway Service Provides support for 3rd party protocol plug-ins for Internet Connection Sharing Manual 
| GA Application Management Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabl... Manual 
| “4 ArcSight Microsoft Windows Event Log - Unified ArcSight Microsoft Windows Event Log - Unified Running Automatic 
EelArcSight Syslog Daemon ArcSight Syslog Raining Automatic Local] 
| Š Background Intelligent Transfer Service Transfers files in’ a letwork bandwidth. If the service is disabled, then any applications that depend o.. Running Manual 
| Ñ Background Tasks Infrastructure Service Windows infrasti which background tasks can run on the system. Running Automatic 
| 4 Base Filtering Engine The Base Filtenn rk. at manages firewall and Internet Protocol security (IPsec) policies and implement... Running Automatic 
| Cà Certificate Propagation Copies user certi Kaima rom smart cards into the current user's certificate store, detects when a smart car.. Running Manual 
we CNG Key Isolation The CNG key iso Restart = LSA process. The service provides key process isolation to private keys and asso... Manual (Trig... 
| “i COM- Event System Supports System SENS), which provides automatic distribution of events to subscribing Compone... Running Automatic 
| come System Application Manages the cor All Tasks > Component Object Model (COM)+-based components. If the service is stopped, ... Manual 
| Gh Computer Browser Maintains an upi Refresh he network and supplies this list to computers designated as browsers. If this servi... Disabled 
4 Credential Manager Provides secure í P 3 sntials to users, applications and security service packages. Manual 
A Cryptographic Services Provides three m y g Database Service, which confirms the signatures of Windows files and allows ne... Running Automatic 
+ OCOM Server Process Launcher The DCOMLAUN Help jnd DCOM servers in response to object activation requests. If this service is stopp... Running Automatic 
| Gh Device Association Service Enables pairing between the system and wired or wireless devices. Manual (Trig... 
$ Device Install Service Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service... Manual (Trig... 
| vi Device Setup Manager Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configu... Manual (Trig... 
| SQ DHCP Client Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive... Running Automatic 
| 4 Diagnostic Policy Service The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this se.. Running Automatic (D... 
| Så Diagnostic Service Host The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service co... Manual 
$ Diagnostic System Host The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System co... Manual 
4 Distributed Link Tracking Client Maintains links between NTFS files within a computer or across computers in a network. Running Automatic 
v4, Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this s.. Running Automatic (D... 
| CL ONS Client The DNS Client service (dnscache) caches Domain Name System (ONS) names and registers the full computer name for this c.. Running Automatic (T... 
| A Enenmtina File System IFES) Provides the care fila encnmtion tachnalanxueed to store encnmted filas on NTFS file cuctem unlumes Jf this senice is stonn. Manual (Tria 
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op service ArcSight Syslog Daemon on Local Computer 


X ArcSight 


@0000000) 


introduction The ArcSight installer will guide you through the installation 


Choose Install Folder of the ArcSight SmartConnector. 


Choose Install Set The first step installs the core ArcSight SmartConnector 


Pick Shortcut Folder components; then you select the ArcSight SmartConnector 


Pre-install Summary you wish to configure 


inetaling ArcSight recommends that you quit all other programs 


Upgrade before continuing with this installation 
System Restart 
Install Cormpiete 


Click the "Next button to proceed 1 the next window 

if you wam to change something on a previous window 
Clit the Prewous button Te cance! this installatran at 
any nme, click the Cancef button 


Step 2: Select the location of the Smart Connector that you want 
to upgrade. The message "Previous Version Found”. Do 
you want to upgrade?" appears. 


Step 3: 


X ArcSight Choose Install Folder 


v Introduction 

-> Choose Install Folder Please choose the installation folder. It is recommended that you 

@ Choose Install Set choose the folder name according to the device that you want to 
connect to. for example /ciscoids or /checkpointng. If you are 

@ Pick Shortcut Folder upgrading from a previous version, please select the folder where the 
@ Pre-install Summary ArcSight SmartConnector is currently installed 


@ installing 
@ Upgrade Where Would You Like to Install? 


@ SystemRestart C:\Arcsight Connectors\Sylog| 


@ install Complete = — = ~ 
Restore Default Folder | 


=] ArcSight SmartConnector [-]o] x | 


X ArcSight Focus Please Wait 


@ Pick Sho Previous Installation Found - Update Possible 


e Pre-instal A previous installation of an AroSight SmartConneoctor was found in 
the selected folder. The installer will update if to the latest version 

e Installing Do you want to continue? 

@ Upgrade 


Select the option to continue and upgrade the connector. 
The original installation is renamed by prefacing 
characters to the original folder name; the upgraded 
connector İs installed in the location 
$ARCSIGHT_HOME\current. 


a SmartConnector Upgrade -—|o x 
m To continue with the upgrade process, the SmartConnector Upgrade Wizard will now upgrade 
=x ArcSight your existing SmartConnector configuration and settings. 
Configure A unique Generator ID is required for this connector to generate unique Global Event IDs. 


Please refer to the SmartConnector User Guide for more information. 


Please continue to the next panel if you are ready to upgrade this SmartConnector. 


Provide ESM username and password as below and then 
Next. 


A Configuration upgrade successful! The SmartConnector Configuration Wizard will now upgrade 
X ArcSig ht the SmartConnector resource in the ArcSight Manager [arcsght.semxpert.com] at port [8443], 
to continue please login as a user with the appropriate privileges: 


Configure 


It will upgrade the connector so Finish the wizard. 


Upgrade process completed! 


X ArcSight 


Configure 


You may modify SmartConnector settings if you need to in the SmartConnector Configuration 
Wizard 


Select “I do not want to change any setting” then Next 
and exit. 


What would you like to do? 


<& ArcSight 


Configure 


A unique Generator ID is required for this connector to generate unique Global Event IDs. 
Please refer to the SmartConnector User Guide for more information. 


D Modi fy Connector 
Uninstall as a service 


Set Gobal Parameters 


© I do not want to change any setting 


Step 3: Start the connector service & check the latest agent.log & 
agent.wrapper.log to confirm successful Connector up- 


gradation. 


Z Services (Local) || Name = 


Description Status Startup Type LogO^ 

s App Readiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps. Manual Local 

| Application Experience Processes application compatibility cache requests for applications as they are launched Manual (Trig... Local 
+ Application Identity Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. Manual (Trig... Local |g 

| Application Information Facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users will... Running Manual (Trig... Local 

sà Application Layer Gateway Service Provides support for 3rd party protocol plug-ins for Internet Connection Sharing Manual Local 

= Application Management Processes installation, removal, and enumeration requests for software deployed through Group Policy. if the service is disabl.. Manual Local 


rene Microsoft Windows Event Log - Unified ArcSight Microsoft Windows Event Log - Unified —_ Automatic Local 


» Background Intelligent Transfer Service Transfers files in th Start work bandwidth. If the service is disabled, then any applications that depend o.. Running Manual Local 
Background Tasks Infrastructure Service Windows infrastruc sich background tasks can run on the system. Running Automatic Local 

+ Bose Filtering Engine The Base Filtering É se manages firewall and Internet Protocol security (IPsec) policies and implement... Running Automatic Local 

+ Certificate Propagation Copies user certific Resume m smart cords into the current user's certificate store, detects when a smart car... Running Manual Local 
CNG Key Isolation The CNG key isolat estit SA process, The service provides key process isolation to private keys and asso... Manual (Trig... Local 
ACOM» Event System Supports System Ey NS), which provides automatic distribution of events to subscribing Compone. Running Automatic Local 
COM» System Application Manages the confit All Tasks * nponent Object Model (COM)+-based components. If the service is stopped, ... Manual Local 

|% Computer Browser Maintains an updat Refresh network and supplies this list to computers designated as browsers. If this servi... Disabled Local 
> Credential Manager Provides secure sto les tials to users, applications and security service packages. Manual Local 
Cryptographic Services Provides three man Database Service, which confirms the signatures of Windows files and allows ne... Running Automatic Netwe 

| OCOM Server Process Launcher The OCOMLAUNCI Help 1 DCOM servers in response to object activation requests, If this service is stopp... Running Automatic Local 

|| Ci Device Association Service Enables pairing between the system and wired or wireless devices, Manual (Trig... Local 
à Device Install Service Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service... Manual (Trig... Local 

|| à Device Setup Manager Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configu... Manual (Trig... Local 
|| GQ DHCP Chent Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive... Running Automatic Local 
J, Diagnostic Policy Service The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. if thisse.. Running Automatic (D. Local 

| Š Diagnostic Service Host The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service co... Manual Local 
Š Diagnostic System Host The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System co... Manual Local 

& Distributed Link Tracking Client Maintains links between NTFS files within a computer or across computers in a network. Running Automatic Local 

sà Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this s.. Running Automatic (0... Netwe 

| “ONS Client The ONS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this c~. Running Automatic (T... Netwe 


Enenntinn File Sustanm (FS). 
< 


Drowides the core file enceuntion technolonw used to store encomted files on NTFS file sectam volumes if this canica ic tann. 
w 


Manual(Tia Local ~ 
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How to Increase the [VM of Connector 


As default JVM is 256 MB. Suppose we want to increase windows 
connector’s JVM. 


Step 1 - 
Step 2 - 


First we will stop the connecter service. 


Browse connector folder where it is installed 


ie: C:\ drive -> current -> config -> agent and right click 
on agent.wrapper.conf -> open in notepad. 


e > È m > ThisPC » Local Disk (C:) » Arcsight Connectors » Windows » current » config » agent > 
ok Favorites Name s Date modified Type Size 
E Desktop d enterpriseticketing 10/1 File folder 
Up Downloads J mic 10/13 File folder 
I Recent places dmg 10/1 File folder 
P" stnngs 10/1 File folder 
1 This PC T agent.defaults 10/13/2021 8:39 AM PROPERTIES File 98 KB 
fe Desktop _) agent.policy 10/13/2021 8:39AM POLICY File 1KB 
P Documents Tagentwrapper.conf ~———_-—‘$0/13/20218:39AM BASEFile «SKB 
iB Downloads T agent.wreer.initd 10/13/2021 8:39AM BASE File 3KB 
J} Music T connectorsetup.conappmode.ms.logger PROPERTIES File 11 KB 
È Pictures a connectorsetup.conappmode PROPERTIES File 17K8 
|B Videos 2 connectorupgrade.conappmode 10/1 PROPERTIES File 2 KB 
Ë, Local Disk (C) T connectorupgrade.state 10/13/202 PROPERTIES File 3 KB 
D installermap 10/13 PROPERTIES File 2K8 
G Network T) microsoft.to.local.logger 10/13 PROPERTIES File 13KB 
NTEventMappings 10/13/2021 8:39 AM Text Document 9 K8 
T StartupParameters.plist 10/13/2021 8:39AM BASE File 1K8 
T) wrapper-license 10/13/2021 8:39AM CONF File 1 KB 


Step 3 - Navigate to the line- 


“ # Initial Java Heap Size (In MB) 
Wrapper.java.initmemory=256 
#maximum Java Heap Size (In MB) 
Wrapper.java.smaxmemory=256" as below. 


# wrapper. java.command+../../../jre/bin/java 


# Java Main class 
wrapper. java.mainclass=com. arcsight.agent. loadable. _WrapperLauncher 


# Java Classpath (include wrapper.jar) Add class path elements as needed starting from 1 


rapper. java.classpath.1=../../../build/classes 
wrapper. java.classpath.2=../../../lib/agent/arcsightagents. jar 
wrapper. java.classpath.3=../../../user/agent/lib/* 
rapper. java.classpath.4*../../../lib/agent/jackson/* 
wrapper. java.classpath.5=../../../lib/agent/winrm4j/* 
rapper. java.classpath.6=../../../lib/agent/tomcat/* 
wrapper. java.classpath.7=../../../lib/agent/axis/all-axis-libs.jar 
wrapper. java.classpath.8=../../../lib/agent/agentframeworklib. jar 
rapper. java.classpath.9=../../../lib/agent/* 
wrapper. java.classpath.10=../../../i18n/common 
wrapper. java.classpath.11=../../../i18n/agent 
wrapper. java.classpath.12=../../../lib/agent/mq/* 
wrapper. java.classpath.13=../../../lib/agent/adal/* 
rapper. java.classpath.14=../../../lib/agent/http/* 
wrapper. java.classpath.15=../../../lib/agent/modules/* 


# Java Additional Parameters (additional parameters will now be written programatically) 
# wrapper. java.additional.1= 


# Initial Java Heap Size (in MB) 
rapper. java. initmemory=256| Í 


# Maximum Java Heap Size (in M8) 
rapper. java.maxmemory=256 


# Port which the native wrapper code will attempt to connect to 
rapper.port#1777 


# Number of seconds to allow for the JVM to be launched and contact the wrapper before the 
# wrapper should assume that the JVM is hung and terminate the JVM process. @ means never 


< 


And change it as required 
“ #Initial Java Heap Size (In MB) 
Wrapper.java.initmemory=1024 
#maximum Java Heap Size (In MB) 
Wrapper.javasmaxmemory=1024” as below. 


# wrapper. java.command=../../../jre/bin/java 


# Java Main class 
wrapper. java.mainclass=com.arcsight.agent.loadable._WrapperLauncher 


# Java Classpath (include wrapper.jar) Add class path elements as needed starting from 1 


wrapper. java.classpath.1=../../../build/classes 

wrapper. java.classpath.2=../../../lib/agent/arcsightagents. jar 
wrapper. java.classpath.3=../../../user/agent/lib/* 

wrapper. java.classpath.4=../../../lib/agent/jackson/* 

wrapper. java.classpath.5=../../../lib/agent/winrm4j/* 

wrapper. java.classpath.6=../../../lib/agent/tomcat/* 

wrapper. java.classpath.7=../../../lib/agent/axis/all-axis-libs.jar 
wrapper. java.classpath.8=../../../lib/agent/agentframeworklib. jar 
wrapper. java.classpath.9=../../../lib/agent/* 


wrapper. java.classpath.10=../../../i18n/common 
wrapper. java.classpath.11-.. . -/i18n/agent 

wrapper. java.classpath.12«.. .-/lib/agent/mq/* 
wrapper. java.classpath.13=.. .-/lib/agent/adal/* 
wrapper. java.classpath.14=.. .-/lib/agent/http/* 
wrapper. java.classpath.15=.. .-/lib/agent/modules/* 
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# Java Additional Parameters (additional parameters will now be written programatically) 
# wrapper. java.additional.1= 


Initial Java Heap Size (in MB) 
rapper. java. initmemory=1024 


# Maximum Java Heap Size (in MB) 
rapper. java.maxmemory=1024| 


# Port which the native wrapper code will attempt to connect to 
wrapper.port#1777 


# Number of seconds to allow for the JVM to be launched and contact the wrapper before the 
# wrapper should assume that the JVM is hung and terminate the JVM process. @ means never 


< 


Step 4 - Restart the connector service in services. 


ArcSight Lab 


ArcSight: 
We can access ESM by two ways. 


1- ESM Console 
2- Command Center 


ESM Console: 


3- ESM Console is the user interface by which we can access 
ESM. Like below- 


ArcSight Console 7.2.0.2635.0 


ArcSight 


User ID | 


Password 


Manager esm1 


| Login | Cancel 


There are three panels in ESM Console. 


1- Navigator- It further has three tabs. 


e Resource, 
e Package and 
e Use Cases. 


2- Viewer 
3- Inspect/Edit 


B ArcSight Console 7.2.0.2635.0 [esm1:amitkumargupta.ast] Permanent license. = | | 


File Edit View Window Tools System Help 
(M@O@xa [eam oom fas - |S goOaRMscea [OS o-a fa 
Navigator co?) | Viewer S? x| | Inspect/Edit o? 
Resources | Packages | Use Cases [F] All Logs Except ArcSight Event Inspector, [>] Active Channel:All Logs Except... 
[F] Active Channels Cti+Alt+A ow Active Channel: Total Events: 109,564 — Attributes | Filter | Sort Fields | Local Variables | Notes 
- Start Time: 13 Jan 2022 19:53:51 IST. 4 VeryHigh: 2,671 8 & I= Fiters @ 
Showing: All Channels End Time: 14 Jan 2022 19:53:51 IST High: 20,258 mmm u t 
Filter Device Vendor != "ArcSight" Medium: 16,331 mumm Edit | Summary 
Shortcuts i=} Inline Filter: NoFilter Low: 36,379 mmm | 1% Event conditions 


Verified Rules: No Rule 


Very Low: 33,375 MEME 


Ee 


= (2) Active Channels p-m = @ Device Vendor != ArcSight 
=) amitkumargupta’s Active Channels 
[>] All Logs From 192,168,0,24 Connector J = al 
[P] All Logs Including ArcSight 
[F] Bluecoat Proxy Event S EndTime $ t 1Name $ Attacker Address $ Target Address $ Priority $ 4 


[>] Fortinet Firewall deny event 14 Jan 2022 19:53:51 1ST An account was successfully logged on. 192.168.0.125 ms. 
[>] High No of firewall deny connection An account was logged off. 192,168.0.125 m 3 
[>} High No. of deny firewall connections outbound from same source An account was successfully logged on. 192,168.0.125 m 3 E FF = = 
(93 High No. of Login Failure From Same User Detected An account was logged off. 192,168.0.125 m 3 E on Conditions Editor Ga) +l- Global Variable... 
[>] Microsoft Windows Failed Login Event An account was successfully logged on. 192.168.0.125 m 3 Nene Op Condition ao 
= Shared An account was logged off. 192.168.0.125 ms = A 
=- All Active Channels An account was successfully logged on. 192.168.0.125 m 3 AE 
-E ArcSight Administration An account was logged off. 192.168.0.125 EE 3 =E an an 
(9) ArcSight Foundation ‘An account was successfully logged on. 192,168.0.125 m3 Bytes In = 5 
IHE ArcSight Solutions An account was logged off. 192,168.0.125 =m 3 =n ; 
#3 ArcSight System An account was successfully logged on. 192,168.0.125 m 3 ETES 7 
#19 Downloads An account was logged off. 192.168.0.125 m 3 7-2 = 
+E Personal An account was successfully logged on. 192.168.0.125 m 3 =a 5 
-E Public An account was logged off. 192.168.0.125 m 3 
+- Unassigned ‘An account was successfully logged on. 192.168.0125 EE 3 pean Taer., 
: An account was logged off. 192.168.0.125 m 3 Domain Name 
14 Jan 2022 19:49:51 1ST An account was successfully logged on. 192.168.0125 m 3 
| 14 Jan 2022 19:49:51 1ST An account was logged off. 192.168.0.125 mE posses 
[ll 14 Jan 2022 19:49:21 IST An account was successfully logged on. 192,168.0.125 mm s ~| EadTime 
< > 


Q Search for: 


Resource: There are 21 resources available. 


B Actors Ctrl +Alt+8 
© Assets Ctrl +Alt+S 
[=] Cases Ctrl +Alt+C 
@ Connectors Ctrl +AIt+£ 
[==] Customers Ctrl +Alt+M 
[Æ] Dashboards Ctrl +Alt+D 
gf Field Sets Ctrl +Alt+x 
[=] Files Ctrl +Alt4I 
[E] Filters Ctrl +Alt+F 
F] Integration Commands Ctri +Alt+O 
[=] Knowledge Base Ctrl +Alt+K 
E3 Lists Ctrl +Alt+T 
Fb Notifications Ctrl +Alt+N 
EJ) Query Viewers Ctrl +Alt+Q 
Reports Ctrl+Alt+R 
[5] Rules Ctrl +Alt+L 
[ a) Saved Searches Ctrl +Alt+w 
[A] Search Filters Ctrl +Alt+H 
[=] Stages Ctrl +Alt+G 
[2] Users Ctrl +aAlt+u 


1- Active Channel: Active Channels are the resource of 
ESM by which we can investigate the real time 
events and view event stream live or historical 
events by writing condition and also can download 
the events only in csv format from itself. 


2- Field Sets: Field Sets are the resource of ESM. Itis a 
combination of fields. Creating the Field Set is one 
time task. Every device has approximately 30+ field 
set but by default ArcSight displays only some fields. 
So we create a group of all those required fields for 
analysis purpose, is called Field Set. 


There are 300+ fields are grouped together in 
17 groups of Field Sets as follows. 


Root 
Agent 
Attacker 


RO i 


B 


Category 
Destination 
Device 

Device Custom 
Event Annotation 
File 

Final Device 


MSE a 


co 
ME) 1 


Flex 

Old File 
Original Agent 
Request 
Source 

Target 

Threat 


v v v v v v v y v v v v v v v v v 


a 
T 
Pa 
1} 
2 
© 
% 


3- Filters: Filter is another resource of the ESM. Filter 
is nothing but set of conditions that we have to write 
in many places such as rules, queries, active channel, 
data monitor. So instead of writing the condition 
manually, we can call the filter. 


Inline Filter: Inline filters further refine the result of 
a filtered active channel. 


4- Query Viewer: Query viewer is a resource of ESM 
which displays the result of queries in order to get 
real time events or historical events by defining 
condition, time and field set in query. 


5- Reports: Report is a resource of ESM which process 
the queries in background of ESM and does not 
much impact on the resources of ArcSight. It 
provides option to download the result of queries in 
which time, condition, Field Sets are defined. Report 
can be download in multiple formats. ie: csv, pdf, 
xslx etc. 


There are two ways to generate the report. 


1- Query based Report (Query -> Report)- 
Whenever we run the report based on query, 
at the same time, it goes to database and 
search the log based on defined query. 

2- Trend based Report (Query -> Trend -> 
Report)- Whenever we run the report based 
on trend, we schedule the trend and at the 
scheduled trend, it goes to database, search 
the log based on defined query and save it to 
trend table in database. After it when we run 
the report, it immediately it downloads the 
report from the trend table. 


6- Rules: Rule is a resource of ESM. Rule is nothing but 

set of conditions along with aggregation. 

When we correlate it with each other, it is 
called correlation rule. 

There are three type of rule. 

1- Standard Rule 

2- Lightweight Rule 

3- Pre-persistence Rule 


Fine Tune of Rule- Doing the necessary changes on 

the rule condition or aggregation to insure that 

maximum time the rule will trigger only in case any 

suspicious activity found. 

We can do fine tune by- 

1- Increasing or decreasing the aggregation 

2- Changing the rule condition or Whitelisting 
certain condition to avoid false positive alert. 

3- Applying suppression or delay list to avoid 
repetitive rule firing. 

4- Avoid partial matches of the rules by decreasing 
the aggregation. 


7- List or Active List: Active Lists are resources of the 
ESM that store event data/fields (not entire events) 
for a definite or indefinite period of time. 

We have two kind of Active List: 

e Event based Active List- In event based 
active list, during the creation of active list, 
we define only ArcSight defined fields and 
can use for that purpose only for which it is 
being created. It is less resource intensive. 

e Field Based Active List- In field based 
active list it provide flexibility while creating 
active list, we can give it own name and use 
for multiple purposes. Once we call it to the 
rule we map with the ArcSight defined fields. 
It is less resource intensive. 


8- Stages: Stage is a resource of ESM. Stages are 
nothing but state of the events which is set by the 
analyst by annotating events from the main channel 
and setting them to various level of investigation. Ie: 
Queued, In-Progress, Follow-up or Closed. 


9- Dashboard: Dashboard is another resource of ESM 
which enables visualization of Real-time event 
monitoring and correlation with data from ArcSight 
Enterprise Security and helps us to identify, and 
analyse potential threats. 

To create a dashboard, first we will 
create Data Monitor which is as follows:- 


Data Monitor Type Select your Data Monitor type v 
Select your Data Monitor type 
Asset Category Count 
Event Correlation 
Event Graph 
Geographic Event Graph 
Hierarchy Map 
Hourly Counts 
Last N Events 
Last State 
Moving Average 
Rules Partial Match 


System Monitor Attribute 


op Value Counts (Bucketized) 


High Severity Daily incidents 


1- High No Windows login failure attempt detected. 
2- High no of UNIX login failure attempt detected. 

3- High no of deny firewall traffic inbound/outbound. 
4- Successful connection from blacklisted IP. 


5- Successful Brute force attacks. 


6- Successful connection towards blacklisted IP. 


7- Traffic from Trojan port/malware ports. Rule for Allowed 
event only. 

8- Traffic towards Trojan port/malware ports. Rule for Allow & 
Deny both. 

9- Torrent traffic detected. 


10-Symantec antivirus detected malware. 


What is Threat Feeds- Set of IPs, Urls, 
Domains, emails, etc. which are blacklisted due to 
involvement in suspicious activity. 


IOCs (Indicators of Compromise)- Set of IPs, 
Urls, Domains, emails etc. which are recently used in 
malicious activities is called IOCs. 


ArcMC - ArcSight Management Center (ArcMC) 
is a centralized security management centre that is 
used to manage large/multiple deployments of 
ArcSight solutions such as ArcSight Connector, ESM 
& Logger through a centralized management 
console. We can upgrade the components and can 
back up of all these components. 


